Date: Mon, 17 Sep 2001 18:48:23 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Joe Abley <jabley@automagic.org> Cc: lyndon@orthanc.ab.ca, kris@obsecurity.org, arch@FreeBSD.ORG Subject: Re: Moving UUCP to ports Message-ID: <200109180148.f8I1mYA61148@cwsys.cwsent.com> In-Reply-To: Your message of "Mon, 17 Sep 2001 21:28:23 EDT." <20010917212822.B52922@buffoon.automagic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010917212822.B52922@buffoon.automagic.org>, Joe Abley writes: > [reposted with corrected recipient addresses; bang-paths from an > era long past removed with prejudice] > > On Mon, Sep 17, 2001 at 06:35:02PM -0600, Lyndon Nerenberg wrote: > > >>>>> "Kris" == Kris Kennaway <kris@obsecurity.org> writes: > > > > Kris> I would like to move the UUCP suite from the base system > > Kris> into ports. The UUCP utilities have a security hole which > > Kris> yields user uucp access, which can currently be leverage to > > Kris> obtain root access by trojaning the uucp binaries. This > > Kris> security hole is believed to be basically unfixable due to > > Kris> the design of UUCP: we can limit its impact, but not > > Kris> eliminate it for all users. > > > > What's the specific bug here? It's hard to evaluate your request > > without knowing the actual problem. > > UUCP was just (in the past week or so) removed from OpenBSD-current > and into ports. I don't mean to suggest that anybody here should jump > through hoops just because OpenBSD made a decision to do so; however, > since it's a recent event I thought it might be newsworthy. > > I just saw the CVS log entries pertaining to the deUUCPification. > Tracking down openbsd mailing list traffic on the subject might be > useful. A bug was discovered in Taylor UUCP (the UUCP used by most of the UNIX world) and published on BUGTRAQ that users could execute arbitrary commands as the UUCP user. UUCP was designed for a more time and is probably inappropriate for today's world. Hence it should be moved to ports and installed by only those who need its functionality. In an ideal world it would not even be in ports, however there are applications and people who still use and need UUCP, so moving it to ports is probably the most appropriate thing we can do. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109180148.f8I1mYA61148>